From: Dmitry Vyukov <dvyukov@google.com>
To: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
Hillf Danton <hillf.zj@alibaba-inc.com>,
David Rientjes <rientjes@google.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Hugh Dickins <hughd@google.com>, Greg Thelen <gthelen@google.com>,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>,
Eric Dumazet <edumazet@google.com>
Subject: Re: memory leak in alloc_huge_page
Date: Tue, 1 Dec 2015 20:45:28 +0100 [thread overview]
Message-ID: <CACT4Y+Zsw23LiBhakWUFfO88OuuHsV588g3T9UPfMKxRBLojGQ@mail.gmail.com> (raw)
In-Reply-To: <565DEC6C.4030809@oracle.com>
On Tue, Dec 1, 2015 at 7:52 PM, Mike Kravetz <mike.kravetz@oracle.com> wrote:
> On 12/01/2015 06:04 AM, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program leaks memory:
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <syscall.h>
>> #include <string.h>
>> #include <stdint.h>
>>
>> #define SYS_mlock2 325
>>
>> int main()
>> {
>> syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x45031ul,
>> 0xfffffffffffffffful, 0x0ul);
>> syscall(SYS_mlock2, 0x20000000ul, 0x1000ul, 0x1ul, 0, 0, 0);
>> return 0;
>> }
>>
>> unreferenced object 0xffff88002eaafd88 (size 32):
>> comm "a.out", pid 5063, jiffies 4295774645 (age 15.810s)
>> hex dump (first 32 bytes):
>> 28 e9 4e 63 00 88 ff ff 28 e9 4e 63 00 88 ff ff (.Nc....(.Nc....
>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>> backtrace:
>> [< inline >] kmalloc include/linux/slab.h:458
>> [<ffffffff815efa64>] region_chg+0x2d4/0x6b0 mm/hugetlb.c:398
>> [<ffffffff815f0c63>] __vma_reservation_common+0x2c3/0x390 mm/hugetlb.c:1791
>> [< inline >] vma_needs_reservation mm/hugetlb.c:1813
>> [<ffffffff815f658e>] alloc_huge_page+0x19e/0xc70 mm/hugetlb.c:1845
>> [< inline >] hugetlb_no_page mm/hugetlb.c:3543
>> [<ffffffff815fc561>] hugetlb_fault+0x7a1/0x1250 mm/hugetlb.c:3717
>> [<ffffffff815fd349>] follow_hugetlb_page+0x339/0xc70 mm/hugetlb.c:3880
>> [<ffffffff815a2bb2>] __get_user_pages+0x542/0xf30 mm/gup.c:497
>> [<ffffffff815a400e>] populate_vma_page_range+0xde/0x110 mm/gup.c:919
>> [<ffffffff815a4207>] __mm_populate+0x1c7/0x310 mm/gup.c:969
>> [<ffffffff815b74f1>] do_mlock+0x291/0x360 mm/mlock.c:637
>> [< inline >] SYSC_mlock2 mm/mlock.c:658
>> [<ffffffff815b7a4b>] SyS_mlock2+0x4b/0x70 mm/mlock.c:648
>>
>> If this program run in a loop number of objects in kmalloc-32 slab
>> indeed grows infinitely.
>>
>> On commit 31ade3b83e1821da5fbb2f11b5b3d4ab2ec39db8 (Nov 29).
>>
>> There seems to be another leak if nrg is not NULL on this path, but
>> it's not what happens in my case since the WARNING does not fire.
>> Still something to fix:
>>
>> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
>> index 827bb02..e97a31b 100644
>> --- a/mm/hugetlb.c
>> +++ b/mm/hugetlb.c
>> @@ -372,8 +372,10 @@ retry_locked:
>> spin_unlock(&resv->lock);
>>
>> trg = kmalloc(sizeof(*trg), GFP_KERNEL);
>> - if (!trg)
>> + if (!trg) {
>> + WARN_ON(nrg != NULL);
>> return -ENOMEM;
>> + }
>>
>> spin_lock(&resv->lock);
>> list_add(&trg->link, &resv->region_cache);
>>
>>
>
> Thanks Dmitry,
>
> If nrg is not NULL, then it was added to the resv map and 'should' be
> free'ed when the map is free'ed. This is not optimal, but I do not
> think it would lead to a leak. I'll take a close look at this code
> with an emphasis on the leak you discovered.
Hi Mike,
Note that it's not just a leak report, it is an actual leak. You
should be able to reproduce it.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-12-01 19:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-01 14:04 Dmitry Vyukov
2015-12-01 18:52 ` Mike Kravetz
2015-12-01 19:45 ` Dmitry Vyukov [this message]
2015-12-02 0:54 ` Mike Kravetz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+Zsw23LiBhakWUFfO88OuuHsV588g3T9UPfMKxRBLojGQ@mail.gmail.com \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=dave.hansen@linux.intel.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=gthelen@google.com \
--cc=hillf.zj@alibaba-inc.com \
--cc=hughd@google.com \
--cc=kcc@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mike.kravetz@oracle.com \
--cc=n-horiguchi@ah.jp.nec.com \
--cc=rientjes@google.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox